Method and system for detecting a keylogger that encrypts data captured on a computer

ABSTRACT

A method and system for detecting a keylogger that encrypts data captured on a computer. One illustrative embodiment acquires a first sample of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; inputs to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; acquires a second sample of the portion of the memory; compares the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flags the running process as a potential keylogger when the at least one data segment contains a second data pattern matching the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.

RELATED APPLICATIONS

The present application is related to commonly owned and assigned U.S. application Ser. No. 11/334,318, Attorney Docket No. WEBR-033/00US, entitled “Method and System for Detecting a Keylogger on a Computer,” which is incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates generally to the detection of pestware or malware on computers. In particular, but without limitation, the present invention relates to methods and systems for detecting keyloggers.

BACKGROUND OF THE INVENTION

Protecting personal computers from a never-ending onslaught of pestware or malware has become increasingly important and challenging. Some types of pestware or malware can compromise a user's privacy by sending sensitive information about the user or the user's computer to a remote destination without the user's knowledge or permission. Such malware is commonly referred to as “spyware.” One particular type of spyware, a “keylogger,” secretly records a user's keystrokes as the user types on a keyboard and captures the resulting text in a data file, which is often encrypted. The keylogger may also secretly send the captured data file to a remote destination by e-mail or some other communication protocol. Such a keylogger can be used by a remote party to acquire information such as credit card numbers, social security numbers, and other sensitive information.

Clearly, computer users have a strong motivation to detect and remove unwanted keyloggers from their systems. Many computer users rely on anti-pestware programs to detect and remove such threats. Some anti-pestware programs detect keyloggers by inputting a known, typically repeating, data pattern to the system in a manner that appears to the system to be keyboard input and searching process memory for the known data pattern. This method fails, however, when the keylogger encrypts the data it captures. In that case, the data captured by the keylogger appears to be completely different from the input “decoy” data pattern. Some keyloggers also evade detection by writing their memory buffers to a disk file very shortly after capturing a group of keystrokes and flushing their memory buffers.

It is thus apparent that there is a need in the art for an improved method and system for detecting keyloggers that encrypt data captured on a computer.

SUMMARY OF THE INVENTION

Illustrative embodiments of the present invention that are shown in the drawings are summarized below. These and other embodiments are more fully described in the Detailed Description section. It is to be understood, however, that there is no intention to limit the invention to the forms described in this Summary of the Invention or in the Detailed Description. One skilled in the art can recognize that there are numerous modifications, equivalents, and alternative constructions that fall within the spirit and scope of the invention as expressed in the claims.

The present invention can provide a method and system for identifying a keylogger that encrypts data captured on a computer. One illustrative embodiment is a method comprising acquiring a first sample of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; inputting to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; acquiring a second sample of the portion of the memory; comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flagging the running process as a potential keylogger when the at least one data segment contains a second data pattern matching the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.

Another illustrative embodiment is a system comprising a data acquisition module configured to acquire first and second samples of a portion of a memory of a computer, the portion of the memory being associated with a running process on the computer; a data injection module configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and an analysis module configured to compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample and to flag the running process as a potential keylogger when the at least one data segment contains a second data pattern that matches the overall sub-pattern structure of the first data pattern despite the particular sub-patterns making up the first and second data patterns being different.

BRIEF DESCRIPTION OF THE DRAWINGS

Various objects and advantages and a more complete understanding of the present invention are apparent and more readily appreciated by reference to the following Detailed Description and to the appended claims when taken in conjunction with the accompanying Drawings, wherein:

FIG. 1 is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention;

FIG. 2A is an illustration of an input data pattern made up of sub-patterns in accordance with an illustrative embodiment of the invention;

FIG. 2B is an illustration of an encrypted data pattern corresponding to the data pattern shown in FIG. 2A in accordance with an illustrative embodiment of the invention; and

FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on a computer, in accordance with an illustrative embodiment of the invention.

DETAILED DESCRIPTION

In one illustrative embodiment of the invention, a keylogger on a computer is detected by inputting to the computer, in a manner mimicking keyboard input, a data pattern that can be recognized in memory despite that data pattern being encrypted and searching the memory for the altered but still-recognizable data pattern. In this embodiment, “memory” can be any computer storage medium, including, without limitation, random access memory (RAM) and non-volatile storage such as a magnetic disk drive.

The input data pattern can be rendered recognizable in memory despite encryption by structuring it as a “pattern of repeating sub-patterns.” That is, the input data pattern consists of at least one occurrence of each of a set of distinct sub-patterns (e.g., sub-strings). When a keylogger employs an encryption algorithm that produces a consistent output each time a given input occurs, the “pattern of repeating sub-patterns” in the input data pattern can still be recognized within the encrypted data even though the sub-patterns in the input and encrypted data patterns are completely different. When the overall structure of the input data pattern is recognized among the encrypted data, the running process whose memory has been scanned can be flagged as a potential keylogger. Optionally, a user may be notified that the running process has been flagged as a potential keylogger.

To improve the reliability of keylogger detection, the above process of injecting a structured data pattern and searching changed process memory for a recognizable encrypted data pattern can be performed multiple times for a given running process.

Referring now to the drawings, where like or similar elements are designated with identical reference numerals throughout the several views, and referring in particular to FIG. 1, it is a functional block diagram of a computer equipped with a keylogger detection system in accordance with an illustrative embodiment of the invention. Computer 100 can be a desktop computer, workstation, laptop computer, notebook computer, handheld computer, or any other device that includes computing functionality. In FIG. 1, processor 105 communicates over data bus 110 with input devices 115, display 120, storage device 125, and memory 130.

Input devices 115 may be, for example, a keyboard and a mouse or other pointing device. In an illustrative embodiment, storage device 125 is a magnetic-disk device such as a hard disk drive (HDD). In other embodiments, however, storage device 125 can be any type of computer storage device, including, without limitation, a magnetic-disk drive, an optical-disc drive, and a storage device employing flash-memory-based media such as secure digital (SD) cards or multi-media cards (MMCs). Memory 130 may include random-access memory (RAM), read-only memory (ROM), or a combination thereof.

In this illustrative embodiment, memory 130 contains keylogger detection system 135 and an arbitrary running process 140. Keylogger detection system 135 detects keyloggers on computer 100 and, when appropriate, removes them from computer 100. In the illustrative embodiment of FIG. 1, keylogger detection system 135 is an application program stored on a computer-readable storage medium of computer 100 (e.g., storage device 125) that can be loaded into memory 130 and executed by processor 105. In other embodiments, the functionality of keylogger detection system 135 can be implemented in software, firmware, hardware, or any combination thereof.

For convenience in this Detailed Description, the functionality of keylogger detection system 135 has been divided into three functional modules: data acquisition module 145, data injection module 150, and analysis module 155. In some embodiments, keylogger detection system 135 includes additional user-interface and keylogger-removal modules (not shown in FIG. 1) for interacting with a user and removing keyloggers from computer 100, respectively. In various embodiments of the invention, the functionality of these functional modules may be combined or subdivided in a variety of ways. For example, in some embodiments, analysis module 155 may be configured to include user-interface and keylogger-removal functionality.

Data acquisition module 145 is configured to read a portion of the memory of computer 100 associated with a running process 140. The memory read may be executable-program and data memory (e.g., a RAM portion of memory 130) associated with running process 140 or non-volatile memory associated with running process 140 such as a disk file on storage device 125.

Data injection module 150 is configured to input to computer 100, in a manner that mimics keyboard input, an input data pattern consisting of one or more occurrences of each of a set of distinct sub-patterns. In this illustrative embodiment, data injection module 150 injects the input data pattern at a time between the acquisition of two separate samples of the memory associated with running process 140 by data acquisition module 145. The staggered-time process memory samples allow analysis module 155 to look for regions of change in the memory associated with a particular running process 140, narrowing the search for a recognizable data pattern among the encrypted data captured by a keylogger.

In one embodiment, data injection module 150 mimics keyboard input by generating the input data pattern using a driver-level process associated with keylogger detection system 135 and sending the input data pattern to a hidden window (e.g., a one-pixel window) on computer 100. Techniques for employing such a driver and hidden window in the detection of keyloggers are explained more fully in commonly owned and assigned U.S. application Ser. No. 11/334,318, Attorney Docket No. WEBR-033/00US, entitled “Method and System for Detecting a Keylogger on a Computer,” which is incorporated herein by reference.

Analysis module 155 is configured to examine samples of memory associated with a given running process 140 that have been acquired by data acquisition module 145 to determine whether a later sample has changed relative to an earlier sample. Once one or more such regions of changed process memory have been identified, analysis module 155 examines those regions for an encrypted data pattern having the same structure (“pattern of repeating sub-patterns”) as the input data pattern. If such an encrypted data pattern is found, analysis module 155 flags running process 140 as a potential keylogger. Optionally, analysis module 155 also alerts a user that running process 140 is a potential keylogger. In other embodiments, keylogger detection system 135 may offer the user the option of removing the suspected keylogger from computer 100.

FIG. 2A is an illustration of an input data pattern made up of sub-patterns in. accordance with an illustrative embodiment of the invention. Input data pattern 200 may be American Standard Code for Information Interchange (ASCII) text, binary data, or data represented in some other format. In this simplified example, input data pattern 200 consists of two repeating sub-patterns, sub-pattern 205 (“ABC”) and sub-pattern 210 (“DEFG”). For clarity, spaces have been added between occurrences of sub-pattern 205 and sub-pattern 210 in FIG. 2A.

FIG. 2B is an illustration of an encrypted data pattern corresponding to input data pattern 200 shown in FIG. 2A in accordance with an illustrative embodiment of the invention. In this example, a keylogger has used a block cipher to produce encrypted data pattern 215, which consists of two repeating sub-patterns, sub-pattern 220 (“123”) and sub-pattern 225 (“4567”). For clarity, spaces have been added between sub-patterns 220 and 225 in FIG. 2B.

For simplicity, only two distinct sub-patterns are shown in FIGS. 2A and 2B. In other embodiments, more than two distinct sub-patterns are used, and input data pattern 200 is larger than the simplified example shown in FIG. 2A.

Analysis module 155 can recognize the correspondence between input data pattern 200 and encrypted data pattern 215 by identifying the repeating sub-patterns 220 and 225 in the memory associated with a running process 140 (a keylogger) and verifying that those repeating sub-patterns 220 and 225 satisfy certain further conditions for input data pattern 200 and encrypted data pattern 215 to have the same overall structure (“pattern of repeating sub-patterns”). One condition is that each sub-pattern in encrypted data pattern 215 occur the same number of times in encrypted data pattern 215 as a unique corresponding sub-pattern in input data pattern 200 occurs in input data pattern 200. Another condition is that the sub-patterns in encrypted data pattern 215 occur in the same order as the corresponding unique sub-patterns occur in input data pattern 200.

In the example of FIGS. 2A and 2B, sub-pattern 205 in input data pattern 200 and sub-pattern 220 in encrypted data pattern 215 both occur four times in their respective data patterns. Likewise, sub-pattern 210 in input data pattern 200 and sub-pattern 225 in encrypted data pattern 215 both occur twice. Therefore, the first condition above is satisfied. Further, the corresponding sub-patterns that occur with the same frequency in the respective data patterns also appear in the same order in both data patterns. Thus, both input data pattern 200 and encrypted data pattern 215 have the same overall structure or “pattern of repeating sub-patterns”: “S₁ S₁ S₂ S₂ S₁ S₁, ” where S₁ and S₂ are distinct sub-patterns. That the sub-patterns are completely different in the two data patterns does not matter because encrypted data pattern 215 can still be recognized, based on its structure of repeating sub-patterns, as being derived from input data pattern 200.

The techniques described in connection with FIGS. 2A and 2B are suitable for any keylogger employing a block cipher for encryption. One common type of block cipher is electronic-codebook (ECB) encryption. More complex types of encryption such as a chain-block cipher, which encodes a given input differently from occurrence to occurrence, are not frequently used by keyloggers. Those skilled in the art will recognize that any suitable pattern-recognition techniques, including techniques different from those discussed in connection with FIGS. 2A and 2B, may be used to identify encrypted data pattern 215.

Those skilled in the art will recognize that even though the example of FIGS. 2A and 2B shows a one-to-one correspondence between the number of characters in an input sub-pattern and the number of characters in the corresponding encrypted sub-pattern, this is not a requirement. So long as the encryption scheme outputs the same symbol or group of symbols for a given input each time that input occurs, the number of input and corresponding output (encrypted) characters may be different. For example, the above techniques could be used with an encryption algorithm whose codebook causes every occurrence of “ABC” to be encrypted as “12345.” In such a case, the “pattern of repeating sub-patterns” can still be recognized using the same techniques explained above.

FIG. 3 is a flowchart of a method for detecting a keylogger that encrypts data captured on a computer 100, in accordance with an illustrative embodiment of the invention. At 305, data acquisition module 145 reads a first sample of a portion of the memory of computer 100 that is associated with a running process 140. At 310, data injection module 150 inputs to computer 100, in a manner mimicking keyboard input, an input data pattern 200 made up of distinct, repeating sub-patterns as explained in connection with FIGS. 2A and 2B. At 315, data acquisition module 145 reads a second, later sample of the portion of the memory of computer 100 associated with running process 140. At 320, analysis module 155 compares the first and second samples read by data acquisition module to identify one or more regions of the second sample that have changed relative to the first sample. If such regions are found at 325, analysis module 155 analyzes those changed regions of process memory at 330 to determine whether an encrypted data pattern 215 having the same overall structure of sub-patterns—despite the sub-patterns themselves being different—is present. If a matching data pattern is found at 335, analysis module 155 flags running process 140 as a potential keylogger. Optionally, analysis module 155 notifies a user of computer 100 that running process 140 is a potential keylogger. At 345, the process terminates.

Many variations of the method diagramed in FIG. 3 are possible. For example, all of the actions shown in FIG. 3 can be repeated multiple times for a given running process 140 to increase the reliability of keylogger detection system 135. Also, if no changed process-memory data is found at 325, the process can return to Block 305 for another attempt. Once analysis module 155 has identified a potential keylogger, a user-interface function of keylogger detection system 135 can offer a user of computer 100 the option of removing the suspected keylogger from computer 100. In response to input from the user, keylogger detection system 135 then removes the suspected keylogger from computer 100. In other embodiments, removal of a suspected keylogger 135 is performed automatically without the need for user input.

In conclusion, the present invention provides, among other things, method and system for identifying keyloggers that encrypt data captured on a computer. Those skilled in the art can readily recognize that numerous variations and substitutions may be made in the invention, its use, and its configuration to achieve substantially the same results as achieved by the embodiments described herein. Accordingly, there is no intention to limit the invention to the disclosed illustrative forms. Many variations, modifications and alternative constructions fall within the scope and spirit of the disclosed invention as expressed in the claims. 

1. A method for detecting a keylogger that encrypts data captured on a computer, the method comprising: acquiring a first sample of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer; inputting to the computer, in a manner that mimics keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; acquiring a second sample of the portion of the memory; comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flagging the running process as a potential keylogger when: the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns, each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
 2. The method of claim 1, wherein the method is performed a plurality of times for a particular running process.
 3. The method of claim 1, further comprising: notifying a user that the running process is a potential keylogger when the running process has been flagged as a potential keylogger.
 4. The method of claim 1, further comprising: automatically removing the running process from the computer when the running process has been flagged as a potential keylogger.
 5. The method of claim 1, further comprising: removing the running process from the computer in response to user input when the running process has been flagged as a potential keylogger.
 6. The method of claim 1, wherein the memory is random-access memory.
 7. The method of claim 1, wherein the memory is a non-volatile memory.
 8. The method of claim 1, wherein the first and second sets of distinct sub-patterns are disjoint.
 9. A system for detecting a keylogger that encrypts data captured on a computer, the system comprising: a data acquisition module configured to acquire first and second samples of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer; a data injection module configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and an analysis module configured to: compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flag the running process as a potential keylogger when: the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns, each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
 10. The system of claim 9, wherein the analysis module is further configured to notify a user that the running process is a potential keylogger when the analysis module has flagged the running process as a potential a keylogger.
 11. The system of claim 9, wherein the analysis module is further configured to remove the running process from the computer automatically when the analysis module has flagged the running process as a potential keylogger.
 12. The system of claim 9, wherein the analysis module is further configured to remove the running process from the computer in response to user input when the analysis module has flagged the running process as a potential keylogger.
 13. The system of claim 9, wherein the memory is random access memory.
 14. The system of claim 9, wherein the memory is a non-volatile memory.
 15. The system of claim 9, wherein the first and second sets of distinct sub-patterns are disjoint.
 16. A system for detecting a keylogger that encrypts data captured on a computer, the system comprising: means for acquiring first and second samples of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer; means for inputting to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; means for comparing the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and means for flagging the running process as a potential keylogger when: the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns, each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern.
 17. A computer-readable storage medium containing program instructions executable by a processor to detect a keylogger that encrypts data captured on a computer, the program instructions comprising: a first instruction segment configured to acquire first and second samples of a portion of a memory of the computer, the portion of the memory being associated with a running process on the computer; a second instruction segment configured to input to the computer, at a time between acquisition of the first and second samples and in a manner mimicking keyboard input, a first data pattern consisting of at least one occurrence of each of a first set of distinct sub-patterns; and a third instruction segment configured to: compare the first and second samples of the portion of the memory to identify at least one data segment in which the second sample has changed relative to the first sample; and flag the running process as a potential keylogger when: the at least one data segment contains a second data pattern consisting of at least one occurrence of each of a second set of distinct sub-patterns, each sub-pattern in the second set of distinct sub-patterns occurs the same number of times in the second data pattern as a corresponding unique sub-pattern in the first set of distinct sub-patterns occurs in the first data pattern, and the sub-patterns in the second data pattern occur in the same order as the corresponding unique sub-patterns occur in the first data pattern. 